<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      Setting Up a Network Firewall
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.79.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-9.1">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 9.1
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="iptables.html" title=
          "iptables-1.8.4">Prev</a>
          <p>
            iptables-1.8.4
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="libcap.html" title=
          "libcap-2.31 with PAM">Next</a>
          <p>
            libcap-2.31 with PAM
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="fw-firewall" name="fw-firewall"></a>Setting Up a Network
        Firewall
      </h1>
      <p>
        Before you read this part of the chapter, you should have already
        installed iptables as described in the previous section.
      </p>
      <div class="sect2" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="fw-intro" name="fw-intro"></a>Introduction to Firewall
          Creation
        </h2>
        <p>
          The general purpose of a firewall is to protect a computer or a
          network against malicious access.
        </p>
        <p>
          In a perfect world, every daemon or service on every machine is
          perfectly configured and immune to flaws such as buffer overflows
          or other problems regarding its security. Furthermore, you trust
          every user accessing your services. In this world, you do not need
          to have a firewall.
        </p>
        <p>
          In the real world however, daemons may be misconfigured and
          exploits against essential services are freely available. You may
          wish to choose which services are accessible by certain machines or
          you may wish to limit which machines or applications are allowed
          external access. Alternatively, you may simply not trust some of
          your applications or users. You are probably connected to the
          Internet. In this world, a firewall is essential.
        </p>
        <p>
          Don't assume however, that having a firewall makes careful
          configuration redundant, or that it makes any negligent
          misconfiguration harmless. It doesn't prevent anyone from
          exploiting a service you intentionally offer but haven't recently
          updated or patched after an exploit went public. Despite having a
          firewall, you need to keep applications and daemons on your system
          properly configured and up to date. A firewall is not a cure all,
          but should be an essential part of your overall security strategy.
        </p>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <h2 class="sect2">
          Meaning of the Word "Firewall"
        </h2>
        <p>
          The word firewall can have several different meanings.
        </p>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779285047296" name="idm45779285047296"></a><a class=
            "xref" href="firewall.html#fw-persFw" title=
            "Personal Firewall">Personal Firewall</a>
          </h4>
          <p>
            This is a hardware device or software program commercially sold
            (or offered via freeware) by companies such as Symantec which
            claims that it secures a home or desktop computer connected to
            the Internet. This type of firewall is highly relevant for users
            who do not know how their computers might be accessed via the
            Internet or how to disable that access, especially if they are
            always online and connected via broadband links.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779285044704" name="idm45779285044704"></a><a class=
            "xref" href="firewall.html#fw-masqRouter" title=
            "Masquerading Router">Masquerading Router</a>
          </h4>
          <p>
            This is a system placed between the Internet and an intranet. To
            minimize the risk of compromising the firewall itself, it should
            generally have only one role&mdash;that of protecting the
            intranet. Although not completely risk free, the tasks of doing
            the routing and IP masquerading (rewriting IP headers of the
            packets it routes from clients with private IP addresses onto the
            Internet so that they seem to come from the firewall itself) are
            commonly considered relatively secure.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779285042032" name="idm45779285042032"></a><a class=
            "xref" href="firewall.html#fw-busybox" title=
            "BusyBox">BusyBox</a>
          </h4>
          <p>
            This is often an old computer you may have retired and nearly
            forgotten, performing masquerading or routing functions, but
            offering non-firewall services such as a web-cache or mail. This
            may be used for home networks, but is not to be considered as
            secure as a firewall only machine because the combination of
            server and router/firewall on one machine raises the complexity
            of the setup.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779285039952" name="idm45779285039952"></a>Firewall
            with a Demilitarized Zone [Not Further Described Here]
          </h4>
          <p>
            This box performs masquerading or routing, but grants public
            access to some branch of your network which, because of public
            IPs and a physically separated structure, is essentially a
            separate network with direct Internet access. The servers on this
            network are those which must be easily accessible from both the
            Internet and intranet. The firewall protects both networks. This
            type of firewall has a minimum of three network interfaces.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm45779285038224" name=
            "idm45779285038224"></a>Packetfilter
          </h4>
          <p>
            This type of firewall does routing or masquerading, but does not
            maintain a state table of ongoing communication streams. It is
            fast, but quite limited in its ability to block undesired packets
            without blocking desired packets.
          </p>
        </div>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="fw-writing" name="fw-writing"></a>Now You Can Start to Build
          your Firewall
        </h2>
        <div class="admon caution">
          <img alt="[Caution]" src="../images/caution.png" />
          <h3>
            Caution
          </h3>
          <p>
            This introduction on how to setup a firewall is not a complete
            guide to securing systems. Firewalling is a complex issue that
            requires careful configuration. The scripts quoted here are
            simply intended to give examples of how a firewall works. They
            are not intended to fit into any particular configuration and may
            not provide complete protection from an attack.
          </p>
          <p>
            Customization of these scripts for your specific situation will
            be necessary for an optimal configuration, but you should make a
            serious study of the iptables documentation and creating
            firewalls in general before hacking away. Have a look at the list
            of <a class="xref" href="firewall.html#fw-library" title=
            "Where to Start with Further Reading on Firewalls">links for
            further reading</a> at the end of this section for more details.
            There you will find a list of URLs that contain quite
            comprehensive information about building your own firewall.
          </p>
        </div>
        <p>
          The firewall configuration script installed in the iptables section
          differs from the standard configuration script. It only has two of
          the standard targets: start and status. The other targets are clear
          and lock. For instance if you issue:
        </p>
        <pre class="root">
<kbd class="command">/etc/rc.d/init.d/iptables start</kbd>
</pre>
        <p>
          the firewall will be restarted just as it is upon system startup.
          The status target will present a list of all currently implemented
          rules. The clear target turns off all firewall rules and the lock
          target will block all packets in and out of the computer with the
          exception of the loopback interface.
        </p>
        <p>
          The main startup firewall is located in the file <code class=
          "filename">/etc/rc.d/rc.iptables</code>. The sections below provide
          three different approaches that can be used for a system.
        </p>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            You should always run your firewall rules from a script. This
            ensures consistency and a record of what was done. It also allows
            retention of comments that are essential for understanding the
            rules long after they were written.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="fw-persFw" name="fw-persFw"></a>
          </h3>
          <h4 class="title">
            <a id="fw-persFw" name="fw-persFw"></a>Personal Firewall
          </h4>
          <p>
            A Personal Firewall is designed to let you access all the
            services offered on the Internet, but keep your box secure and
            your data private.
          </p>
          <p>
            Below is a slightly modified version of Rusty Russell's
            recommendation from the <a class="ulink" href=
            "http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
            Linux 2.4 Packet Filtering HOWTO</a>. It is still applicable to
            the Linux 2.6 kernels.
          </p>
          <pre class="root">
<kbd class="command">cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<code class="literal">#!/bin/sh

# Begin rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables</code>
EOF
chmod 700 /etc/rc.d/rc.iptables</kbd>
</pre>
          <p>
            This script is quite simple, it drops all traffic coming into
            your computer that wasn't initiated from your computer, but as
            long as you are simply surfing the Internet you are unlikely to
            exceed its limits.
          </p>
          <p>
            If you frequently encounter certain delays at accessing FTP
            servers, take a look at <a class="xref" href=
            "firewall.html#fw-BB-4">BusyBox example number 4</a>.
          </p>
          <p>
            Even if you have daemons or services running on your system,
            these will be inaccessible everywhere but from your computer
            itself. If you want to allow access to services on your machine,
            such as <span class="command"><strong>ssh</strong></span> or
            <span class="command"><strong>ping</strong></span>, take a look
            at <a class="xref" href="firewall.html#fw-busybox" title=
            "BusyBox">BusyBox</a>.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="fw-masqRouter" name="fw-masqRouter"></a>
          </h3>
          <h4 class="title">
            <a id="fw-masqRouter" name="fw-masqRouter"></a>Masquerading
            Router
          </h4>
          <p>
            A true Firewall has two interfaces, one connected to an intranet,
            in this example <span class=
            "strong"><strong>eth0</strong></span>, and one connected to the
            Internet, here <span class="strong"><strong>ppp0</strong></span>.
            To provide the maximum security for the firewall itself, make
            sure that there are no unnecessary servers running on it such as
            <span class="application">X11</span> et al. As a general
            principle, the firewall itself should not access any untrusted
            service (think of a remote server giving answers that makes a
            daemon on your system crash, or even worse, that implements a
            worm via a buffer-overflow).
          </p>
          <pre class="root">
<kbd class="command">cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<code class="literal">#!/bin/sh

# Begin rc.iptables

echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo

# Insert iptables modules (not needed if built into the kernel).

modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state

# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT

# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</code>
EOF
chmod 700 /etc/rc.d/rc.iptables</kbd>
</pre>
          <p>
            With this script your intranet should be reasonably secure
            against external attacks. No one should be able to setup a new
            connection to any internal service and, if it's masqueraded,
            makes your intranet invisible to the Internet. Furthermore, your
            firewall should be relatively safe because there are no services
            running that a cracker could attack.
          </p>
          <div class="admon note">
            <img alt="[Note]" src="../images/note.png" />
            <h3>
              Note
            </h3>
            <p>
              If the interface you're connecting to the Internet doesn't
              connect via PPP, you will need to change <em class=
              "replaceable"><code>&lt;ppp+&gt;</code></em> to the name of the
              interface (e.g., <span class=
              "strong"><strong>eth1</strong></span>) which you are using.
            </p>
          </div>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="fw-busybox" name="fw-busybox"></a>
          </h3>
          <h4 class="title">
            <a id="fw-busybox" name="fw-busybox"></a>BusyBox
          </h4>
          <p>
            This scenario isn't too different from the <a class="xref" href=
            "firewall.html#fw-masqRouter" title=
            "Masquerading Router">Masquerading Router</a>, but additionally
            offers some services to your intranet. Examples of this can be
            when you want to administer your firewall from another host on
            your intranet or use it as a proxy or a name server.
          </p>
          <div class="admon note">
            <img alt="[Note]" src="../images/note.png" />
            <h3>
              Note
            </h3>
            <p>
              Outlining a true concept of how to protect a server that offers
              services on the Internet goes far beyond the scope of this
              document. See the references at the end of this section for
              more information.
            </p>
          </div>
          <p>
            Be cautious. Every service you have enabled makes your setup more
            complex and your firewall less secure. You are exposed to the
            risks of misconfigured services or running a service with an
            exploitable bug. A firewall should generally not run any extra
            services. See the introduction to the <a class="xref" href=
            "firewall.html#fw-masqRouter" title=
            "Masquerading Router">Masquerading Router</a> for some more
            details.
          </p>
          <p>
            If you want to add services such as internal Samba or name
            servers that do not need to access the Internet themselves, the
            additional statements are quite simple and should still be
            acceptable from a security standpoint. Just add the following
            lines into the script <span class=
            "emphasis"><em>before</em></span> the logging rules.
          </p>
          <pre class="screen">
<code class="literal">iptables -A INPUT  -i ! ppp+  -j ACCEPT
iptables -A OUTPUT -o ! ppp+  -j ACCEPT</code>
</pre>
          <p>
            If daemons, such as squid, have to access the Internet
            themselves, you could open OUTPUT generally and restrict INPUT.
          </p>
          <pre class="screen">
<code class=
"literal">iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</code>
</pre>
          <p>
            However, it is generally not advisable to leave OUTPUT
            unrestricted. You lose any control over trojans who would like to
            "call home", and a bit of redundancy in case you've
            (mis-)configured a service so that it broadcasts its existence to
            the world.
          </p>
          <p>
            To accomplish this, you should restrict INPUT and OUTPUT on all
            ports except those that it's absolutely necessary to have open.
            Which ports you have to open depends on your needs: mostly you
            will find them by looking for failed accesses in your log files.
          </p>
          <div class="itemizedlist">
            <p class="title">
              <strong>Have a Look at the Following Examples:</strong>
            </p>
            <ul class="compact">
              <li class="listitem">
                <p>
                  Squid is caching the web:
                </p>
                <pre class="screen">
<code class="literal">iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
  -j ACCEPT</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  Your caching name server (e.g., named) does its lookups via
                  UDP:
                </p>
                <pre class="screen">
<code class="literal">iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  You want to be able to ping your computer to ensure it's
                  still alive:
                </p>
                <pre class="screen">
<code class=
"literal">iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  <a id="fw-BB-4" name="fw-BB-4"></a>If you are frequently
                  accessing FTP servers or enjoy chatting, you might notice
                  certain delays because some implementations of these
                  daemons have the feature of querying an identd on your
                  system to obtain usernames. Although there's really little
                  harm in this, having an identd running is not recommended
                  because many security experts feel the service gives out
                  too much additional information.
                </p>
                <p>
                  To avoid these delays you could reject the requests with a
                  'tcp-reset':
                </p>
                <pre class="screen">
<code class=
"literal">iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  To log and drop invalid packets (packets that came in after
                  netfilter's timeout or some types of network scans) insert
                  these rules at the top of the chain:
                </p>
                <pre class="screen">
<code class=
"literal">iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
  -j LOG --log-prefix "FIREWALL:INVALID "
iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  Anything coming from the outside should not have a private
                  address, this is a common attack called IP-spoofing:
                </p>
                <pre class="screen">
<code class="literal">iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</code>
</pre>
                <p>
                  There are other addresses that you may also want to drop:
                  0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
                  experimental), 169.254.0.0/16 (Link Local Networks), and
                  192.0.2.0/24 (IANA defined test network).
                </p>
              </li>
              <li class="listitem">
                <p>
                  If your firewall is a DHCP client, you need to allow those
                  packets:
                </p>
                <pre class="screen">
<code class=
"literal">iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
   -d 255.255.255.255 --dport 68 -j ACCEPT</code>
</pre>
              </li>
              <li class="listitem">
                <p>
                  To simplify debugging and be fair to anyone who'd like to
                  access a service you have disabled, purposely or by
                  mistake, you could REJECT those packets that are dropped.
                </p>
                <p>
                  Obviously this must be done directly after logging as the
                  very last lines before the packets are dropped by policy:
                </p>
                <pre class="screen">
<code class="literal">iptables -A INPUT -j REJECT</code>
</pre>
              </li>
            </ul>
          </div>
          <p>
            These are only examples to show you some of the capabilities of
            the firewall code in Linux. Have a look at the man page of
            iptables. There you will find much more information. The port
            numbers needed for this can be found in <code class=
            "filename">/etc/services</code>, in case you didn't find them by
            trial and error in your log file.
          </p>
        </div>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="fw-finale" name="fw-finale"></a>Conclusion
        </h2>
        <p>
          Finally, there is one fact you must not forget: The effort spent
          attacking a system corresponds to the value the cracker expects to
          gain from it. If you are responsible for valuable information, you
          need to spend the time to protect it properly.
        </p>
      </div>
      <div class="sect2" lang="en" xml:lang="en">
        <h2 class="sect2">
          <a id="postlfs-security-fw-extra" name=
          "postlfs-security-fw-extra"></a>Extra Information
        </h2>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="fw-library" name="fw-library"></a>
          </h3>
          <h4 class="title">
            <a id="fw-library" name="fw-library"></a>Where to Start with
            Further Reading on Firewalls
          </h4>
          <div class="blockquote">
            <blockquote class="blockquote">
              <div class="literallayout">
                <p>
                  <br />
                  <a class="ulink" href=
                  "http://www.netfilter.org/">www.netfilter.org&nbsp;-&nbsp;Homepage&nbsp;of&nbsp;the&nbsp;netfilter/iptables&nbsp;project</a><br />

                  <a class="ulink" href=
                  "http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">
                  Netfilter&nbsp;related&nbsp;FAQ</a><br />
                  <a class="ulink" href=
                  "http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter&nbsp;related&nbsp;HOWTO's</a><br />

                  <a class="ulink" href=
                  "http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</a><br />

                  <a class="ulink" href=
                  "http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</a><br />

                  <a class="ulink" href=
                  "http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</a><br />

                  <a class="ulink" href=
                  "http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</a><br />

                  <a class="ulink" href=
                  "http://www.little-idiot.de/firewall">www.little-idiot.de/firewall&nbsp;(German&nbsp;&amp;&nbsp;outdated,&nbsp;but&nbsp;very&nbsp;comprehensive)</a><br />

                  <a class="ulink" href=
                  "http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">
                  linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</a><br />

                  <a class="ulink" href=
                  "http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</a><br />

                  <a class="ulink" href=
                  "http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</a><br />

                  <a class="ulink" href=
                  "http://www.circlemud.org/~jelson/writings/security/index.htm">
                  www.circlemud.org/~jelson/writings/security/index.htm</a><br />

                  <a class="ulink" href=
                  "http://www.securityfocus.com">www.securityfocus.com</a><br />

                  <a class="ulink" href=
                  "http://www.cert.org/tech_tips/">www.cert.org&nbsp;-&nbsp;tech_tips</a><br />

                  <a class="ulink" href=
                  "http://security.ittoolbox.com/">security.ittoolbox.com</a><br />

                  <a class="ulink" href=
                  "http://www.insecure.org/reading.html">www.insecure.org/reading.html</a><br />

                  &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                </p>
              </div>
            </blockquote>
          </div>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-02-26 08:20:10 -0800
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="iptables.html" title=
          "iptables-1.8.4">Prev</a>
          <p>
            iptables-1.8.4
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="libcap.html" title=
          "libcap-2.31 with PAM">Next</a>
          <p>
            libcap-2.31 with PAM
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 9.1">Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
